What is the least privileged configuration to allow individuals to create user managed identities and assign non privileged roles ? And using terraform to do the same.

dax-6615 5 Reputation points
2024-12-24T01:09:47.2266667+00:00

Our setup & issue

We're using terraform to manage infrastructure. When trying to create a Azure Key Vault with enable_rbac_authorization set to true, terraform silently succeeds however the permission model is set to Vault Access Policy . On subsequent requests terraform errors out because it is not able to configure rbac on the key vault.


│ Error: updating Key Vault (Subscription: "XXXXXXX"
│ Resource Group Name: "YYYYY"
│ Key Vault Name: "SSSSSS"): vaults.VaultsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InsufficientPermissions" Message="Caller is not allowed to change permission model. For more information on how to change the permissions model follow this link: https://go.microsoft.com/fwlink/?linkid=2155160. Details: name=MY_EMAIL_ADDRESS; oid=SOME-UID; action=Microsoft.Authorization/roleAssignments/write; resource=/subscriptions/XXXXXXX/resourcegroups/YYYYY/providers/Microsoft.KeyVault/vaults/SSSSSS; decision=NotAllowed; "

I was also unable to change the permission model via the Azure UI and got a similar error with code InsufficientPermissions

I have the owner role assigned for subscription XXXXXXX. But that wasn't sufficient. To make it work, we had to remove all the roles under "Allow all except specific roles", which included 

  • Owner
  • User Access Administrator
  • Role Based Access Control Administrator

What is the least privileged configuration to make this work ? I expect to be able to create User Managed Identities for resources within the subscription and assign roles to them. With the exception of terraform, no other resource needs to be able to assign roles themselves.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,454 questions
Azure | Azure Startups
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator
    2024-12-24T01:50:14.9433333+00:00
    0 comments No comments

  2. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2024-12-26T15:08:38.8366667+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.